Allow go builder configuration
Why are we doing this work
As was mentioned in #321081 (closed), the build tags, target OS and architecture determine what dependencies are actually used by a Go program. The go builder introduced in Incorrect usage of go.sum in go dependency scan... (#321081 - closed) does not take the build tags or target OS/arch combinations when building the module dependency list. Instead, it utilizes the analyzer environment build constraints e.g. if the analyzer image is Debian/AMD64 then the build constrains will include GOOS=linux GOARCH=amd64
. If the production build constraints were GOOS=netbsd GOARCH=arm
then this could result in false positives or false negatives. Furthermore, build tags can also affect the final output. Allowing customization of the go build constraints will further improve the accuracy of the go module dependency list generation.
Relevant links
Non-functional requirements
-
Documentation: -
Document how to modify the build constraints utilized by the Go builder.
-
-
Feature flag: -
Performance: -
Testing: -
Add an integration test suite that expects different outputs when building with different build constraints. See the Build tags, operating systems and architectures section of #321081 (closed) for some examples.
-